Some configuration files are executables and so they require the signature in the extended attribute. If they are not executable, they can be skipped.
Examples for configuration files that are also executables are the grub files in /etc/grub.d. Signed-off-by: Stefan Berger <stef...@linux.vnet.ibm.com> --- plugins/ima.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/plugins/ima.c b/plugins/ima.c index be15ecf..76c7d3d 100644 --- a/plugins/ima.c +++ b/plugins/ima.c @@ -49,13 +49,18 @@ static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res) } while (rpmfiNext(fi) >= 0) { - /* Don't install signatures for (mutable) config files */ - if (!(rpmfiFFlags(fi) & RPMFILE_CONFIG)) { - fpath = rpmfiFN(fi); - fsig = rpmfiFSignature(fi, &len); - if (fsig && (check_zero_hdr(fsig, len) == 0)) { - lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0); - } + /* Don't install signatures for (mutable) files marked + * as config files unless they are also executable. + */ + if (rpmfiFFlags(fi) & RPMFILE_CONFIG) { + if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH))) + continue; + } + + fsig = rpmfiFSignature(fi, &len); + if (fsig && (check_zero_hdr(fsig, len) == 0)) { + fpath = rpmfiFN(fi); + lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0); } } exit: -- 2.5.5 _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint